ASAMPSA_E Report Summary

The Fukushima Dai-ichi nuclear accident in Japan resulted from the combination of two correlated extreme external events (earthquake and tsunami). The consequences, especially flooding, went beyond what was considered in the initial nuclear power plant (NPP) design.Such situations can be identified using probabilistic safety assessment (PSA) methodology that complements the deterministic approach for beyond design accidents. If the results of a PSA conclude that such a low probability event can lead to extreme consequences, industry (system suppliers and utilities) or Safety Authorities may take appropriate decisions to reinforce the defence-in-depth of the plant.The project ASAMPSA_E aimed at promoting PSA good practices for the identification of such situations and for the definition of appropriate criteria for decision-making in the European context. In the framework of the project, an “extended PSA” (probabilistic safety assessment) applies to a site of one or several Nuclear Power Plant(s) (NPP(s)) and its environment. It intends to calculate the risk induced by the main sources of radioactivity (reactor core and spent fuel storages, other sources) on the site, taking into account all operating states for each main source and all possible relevant accident initiating events (both internal and external) affecting one NPP or the whole site.The project offered a framework to discuss, at a technical level, how “extended PSA” can be efficiently developed and used to verify the robustness of Nuclear Power Plants (NPPs) in their environment.Three phases have been developed from 2013 to 2016: (1) the identification of the PSA End-Users needs for “extended PSA”, (2) the development of guidance reports and (3) a peer review of the reports developed in the project. 24 technical reports have been developed by the project partners (more than 100 experts from 31 organisations in 18 European countries, United States and Japan were involved) and cover:• bibliography,• general issues for PSA : lessons of the Fukushima Dai-ichi accident for PSA, list of external hazards to be considered, methodology for selecting initiating events and hazards in PSA, risk metrics, the link between PSA and the defence-in-depth concept and the applications of extended PSA in decision making),• methods for the development of earthquake, flooding, extreme weather, lightning, biological infestation, aircraft crash and man-made hazards PSA• severe accident management and PSA : optimization of accident management strategies, study of spent fuel pool accident and recent results from research programs.

Project Context and Objectives:

1 ASAMPSA_E INITIAL CONTEXT

In all European countries the Probabilistic Safety Assessment (PSA) methodology is used to confirm and enhance the safety of Nuclear Power plants (NPP) in complement to the deterministic approach. The role and importance of PSA is defined and emphasized in many national and international safety standards (IAEA, WENRA...). PSA have been developed for internal initial events for most reactors in Europe. Internal fire, internal flooding and seismic PSA are also often developed. The other external events PSAs are more rarely fully developed.The 2011 Fukushima Dai-ichi accident has then shown that extreme external events, with magnitude largely beyond the NPP design, can strike a NPP and make impossible the NPP control. In the history of nuclear industry, some high amplitude external events above the plant design conditions have already occurred but without significant consequences. These events have then been investigated to reinforce the NPPs and the safety rules. It is vital for the protection of populations and environment to be sure that all operated NPPs are adequately protected against such situations. If adverse conditions lead to a reactor core cooling failure and core melt, releases of fission products have to be largely mitigated with the use of the severe accident management (SAM) provisions.The PSA methodology is a structured approach able, in theory, to demonstrate that the NPP protections are sufficient. But one question rose after the Fukushima Dai-ichi accident was if the existing PSAs practices are really able to identify the previously mentioned events and their consequences. How being sure that existing and future PSA developments efficiently contribute to appropriate decision-making on NPP safety enhancement and to the protection of the public and the environment?

2 - THE PROJECT ORIGIN

21 – MAIN OBJECTIVES

In this context, the ASAMPSA_E (Advanced Safety Assessment Methodologies: extended PSA) project aimed at examining in details how far the PSA methodology application is able to identify any major risk induced by the interaction between NPPs and their environment, and to derive some technical recommendations for PSA developers and users. The project was open to European (and non-European) organizations having responsibility in the development and application of PSAs in response to the regulator requirements.The following definition has been used for this project: “An extended PSA (probabilistic safety assessment) applies to a site of one or several Nuclear Power Plant(s) (NPP(s)) and its environment. It intends to calculate the risk induced by the main sources of radioactivity (reactor core and spent fuel storages) on the site, taking into account all operating states for each main source and all possible accident initiating events affecting one NPP or the whole site”. An extended PSA should consider, for all reactors and spent fuel storages on a nuclear site, the risk contributions: - from internal initiating events on each reactor, - from internal hazards (internal flooding, internal fire, etc.), - from single and correlated external hazards (earthquake, external flooding, external fire, extreme weather conditions or phenomena, oil spills, industrial accident, explosion, etc.), - from the possible combinations of previous events,- from the interdependencies between the reactors and spent fuel storages on a same site.An extended PSA shall include a minima a Level 1 PSA (L1 PSA), which calculates scenarios of fuel damage (and their frequencies) and a Level 2 PSA (L2 PSA) which calculates scenarios of radioactive releases (frequencies, kinetics and amplitude of releases) and could include a Level 3 PSA (L3 PSA) which calculates the risk for the population, the environment or the economy.

Disasters associated to human activities were often predicted but not prevented. The decision-making process to prevent risk coming from rare events is difficult and associated to the societal acceptance of risks, to the economic constraints and sometimes to criteria (or absence of criteria) to discriminate between what is acceptable or not. The PSA methodology is, in theory, able to combine all components of risks (frequencies, consequences) but, in real practices, the credibility of results and conclusions has always to be proven. The relevance of a PSA depends on the quality of its content that includes:- plant or site operating states definition,- definition, characterization and frequency of accident initiating events (internal events, internal and external hazards and their combinations),- human and equipment failure modelling (fault trees),- accident sequences modelling (event tree approach),- accident consequences assessment,- supporting studies to justify assumptions in PSA event trees on all previous topics,- results presentation and interpretation as input for the decision-making process.

For European countries, it seemed that harmonization of practices or technical exchanges could be useful on the steps mentioned above with a focus on external hazards or in general high impacts events.

22 - LINK BETWEEN ASAMPSA_E AND THE STRESS TESTS PROCESS OF NUCLEAR INDUSTRY

The Fukushima Dai-ichi accident has led the European Commission and the National Safety Authorities to request a public review, “stress tests” [see http://ensreg.org/EU-Stress-Tests], of all European NPPs, with the objective to assess the NPPs robustness and to identify some possibilities of reinforcements where needed. This review, organized by ENSREG, based on a deterministic approach (postulated conditions), examined the European NPPs resilience against events like earthquake or flooding, and the response in case of partial or total loss of the ultimate heat sink and/or loss of electrical power supply.The review concluded that the level of robustness of the concerned plants was sufficient but for many plants, safety reinforcements have been defined or accelerated to face the possibility of beyond design events. The reinforcements include:- protective measures (against flooding, earthquake),- additional equipment (mobile equipment, hardened stationary equipment) able to control the NPP in case of beyond design event,- protective structures (reinforced local crisis centers, secondary control room, protective building for mobile equipment ...),- severe accident management provisions, in particular for hydrogen management and containment venting,- new organizational arrangements (procedures for multi-units accidents, external interventions teams able to secure a damaged site ...).

Action plans to implement these measures are still discussed in all European countries.In parallel with this stress test process and its follow up actions, there is an interest to confirm through “extended PSA” results, the high level of robustness of NPPs after the implementation of the safety reinforcements described above. Building a meaningful risk assessment model for NPPs and their environment is a difficult task which is resource and time consuming, even if some guidance already exists on many topics. The ASAMPSA_E project provided an opportunity to examine which PSA methodologies have already been implemented and how efficient they are (optimization of resources, potential for identification of NPP weakness ...). This project was intended to help the acceleration of the development of such “extended PSA” in the European countries with the objective to help European stakeholders to verify that all dominant risks are identified and managed. Due to the Fukushima Dai-ichi accident, the ASAMPSA_E project had to give importance to the risks induced by the possible natural extreme external events and their combinations.

Today, it is recognized that a severe accident management program has to be implemented on NPPs and that appropriate L2 PSAs for decision-making were needed. The discrepancies between the status of existing L2 PSAs, within different European countries and organizations, identified during the period 2006-2008 within SARNET (European Severe Accident Network of Excellence), has conducted the European Commission to support the EURATOM FP7 ASAMPSA2 project: 21 European organizations (plant operators, plant designers, Technical Safety Organizations (TSO), Safety Authorities and Research Centers) have collaborated within this project to the development of some European best-practice guidelines for L2 PSA developments and applications in relation with knowledge gained from research activities. These guidelines contribute to some harmonization of practices within European Countries and can help in developing L2 PSA with high quality and costs optimization.The ASAMPSA2 guidelines were discussed in March 2011 (7-9 March 2011) during a final workshop (in Helsinki, Finland) with the End-Users and scientific (in particular from SARNET) community which recognized the quality of these documents and suggested some possible improvements for their final versions. In addition, this workshop was an opportunity to identify the possible follow-up actions of interest: (1) L2 PSA methodology and tools : a need has been expressed for probabilistic tools able to incorporate deterministic models for the simulation of accident progression in an event tree and to calculate radioactive release for each accident sequence : such tools should include Monte-Carlo simulations and offer possibilities for the dynamic reliability methods and importance analysis ; despite previous harmonization efforts, interface between L1 and L2 PSA remains a topic where some improvement of methodology and tools can justify further efforts,(2) Extension of L2 PSA guidance for shutdown reactor states and external events: an extension of the existing ASAMPSA2 guidelines for shutdown states has been recognized as a topic of interest but the major point for guidance improvement was the extension to external hazards ; in particular the significant contribution of external hazards to the global risk was discussed during the final ASAMPSA2 workshop because the ASAMPSA2 guidance only cover internal initiating events,(3) Summary document on L2 PSA requirements (quality indicators) : the End-Users have expressed interest for a summary document from the ASAMPSA2 guidelines that would provide main requirements (quality indicators) to be associated to L2 PSA development and application,(4) Risk metrics: the elaboration of L2 PSA risk metrics that could be applied commonly for all European plants and that could be understood easily by non “L2 PSA experts” is seen as an additional possibility for harmonization at European level.(5) Research / Database on experimental data available for L2 PSA needs: when developing a L2 PSA, it is required to justify many assumptions related to the phenomena on the basis of available experimental results (or use of qualified simulation tools); a need has been expressed for some specific documents explaining the existing relation between experimental results and possible assumptions in L2 PSA; this may be extremely useful and cost effective to maintain all existing knowledge, and to make easier the transfer of knowledge towards younger generation in a pragmatic and structured way; SARNET recent findings may be a starting point for such an activity with establishing a database of available experiences for different phenomena (collected in one document, or considered as a complement in the ASAMPSA2 guideline) and formalization of structured expert judgment; interest of a collaborative action would be to compare experience and conclusions of experts from different organizations; nevertheless, it is recognized that the objective cannot be the definition of generic data (like split fractions for event trees) that could be applicable to all nuclear power plants, whatever their design.(6) Plant Safety: link between severe accident management options and L2 PSA results: different severe accident management strategies have been implemented on some NPPs, even if the initial plant design is similar; international comparison between the different approaches should help experts understanding the origin of differences and to contribute to the reinforcement of the local options. L2 PSA can be an efficient tool to support such a comparison; sharing experience, at European level, based on L2 PSA outcomes, can be an efficient way to discuss the efficiency of the different possible severe accident management strategies.(7) Training and review services by ASAMPSA2 experts: some specific services can be organized and provided by the experts involved in the ASAMPSA2 project for reviewing existing L2 PSA or for training.It has been decided to address in the ASAMPSA_E project the topics (2) (reactor shutdown states and external hazards, (4) (risk metrics) and (6) (severe accident management strategies) and that other topics could be addressed in some other frameworks.

Project Results:

3 – MAIN RESULTS OF ASAMPSA_E

31 – ASAMPSA_E PHASE 1: BIBLIOGRAPHY AND FIRST PSA END-USERS SURVEY

During the first phase of the project, few reports have been drafted in order to identify existing standards or publications that could be useful for the development or the application of “extended PSA”.

It was also important to organize some exchanges with the PSA End-users community in order to identify some important issues that should be addressed by the project. A questionnaire has been sent to more than 100 organizations involved in these activities to get their opinions on the extended PSA concept and objectives. Their answers have been presented and discussed during an international workshop organized in May 2014 at Uppsala, Sweden with the help of Forsmark NPP. The conclusions of this workshop have been summarized in:

D10.2 “Synthesis of the initial End-users survey related to the PSA End-users need”.

The D10.2 report examines the End-Users survey response following (1) the scope and background of the ASAMPSA_E project, (2) the lessons learnt by respondent from past real events/hazards for PSA developments, (3) Definition and scope of extended PSA, (4) Uses and application of extended PSA, (5) quality of extended PSA, (6) Technical needs for extended PSA developments and (7) outcomes and recommendations for the extended PSA project. 62 recommendations have been formulated for the project and have then been taken into account by the ASAMPSA_E partners.

32 – ASAMPSA_E PHASE 2: GUIDANCE AND TECHNICAL REPORTS DEVELOPMENT

During the second phase of the project, the following guidance and technical reports have been developed to fulfill the objectives of the project.

321 – GENERAL ISSUES FOR PSA

The following 7 reports introduce some general issues for extended PSA. The summary has been extracted from each report.

D30.2 “Lessons of the Fukushima Dai-ichi accident for PSA”

The executive summary of this report is provided hereafter. It clearly concludes that existing NPPs PSAs need important improvements during the coming years.

“The Fukushima Dai-ichi nuclear accident in Japan resulted from the combination of two correlated extreme external events (earthquake and tsunami). The consequences (flooding in particular) went beyond what was considered in the initial NPP design. Such situations can be identified using PSA methodology that complements the deterministic approach for beyond design accidents. If the performance of a L1 and L2 PSA concludes that such a low probability event can lead to extreme consequences, the industry (system suppliers and utilities) or the Safety Authorities may take appropriate measures to reinforce the defence-in-depth of the plant. In this report, the implications from the Fukushima Dai-ichi accident for PSA L1 and L2 and to decision making using PSA results have been investigated by the ASAMPSA_E project. Since the scope of PSA in Japan in general as well as for the Fukushima Dai-ichi units did not extend to the relevant scenarios, direct lessons to be learned on these issues are limited. Therefore, the authors have used their experience on the current status of PSA L1 and L2 models worldwide and in Europe as well as the insights gained from the responses to an ASAMPSA_E questionnaire for identifying further gaps of PSA methodologies and for derived related conclusions and recommendations.Some main lessons learned on PSA L1 and L2 as well as decision making using PSA results is briefly summarized in this report. The complete summary of this report is provided in section 6, which includes a numbered list of the conclusions and recommendations.In view of Fukushima Dai-ichi accident, the existing (L1 and L2) PSAs for NPPs manifest specific insufficiencies about the identification of rare events and their combinations. Efforts should be put mainly on the improvement of the adequacy of criteria for the identification of initiators, including rare events and their combinations, of the assessment of their frequency of occurrence versus severity and of the models for components/systems/structures failure. More generally, initiating events should be systematically determined for all operating modes and relevant sources of radionuclides and include all hazard impacts with a special focus on low probability/high impact events, which can significantly challenge the DiD concept of the plant and thus may give rise to cliff-edge effects. Specific to hazards, this includes the systematic extension of the PSA scope to beyond design basis hazard scenarios (at frequencies below ~ 10E-4 per year) as well as combinations of hazards events with other events, which includes correlated hazards as well as uncorrelated combinations with sufficient probability. Internal and external hazards shall include natural and man-made hazards that originate externally to both the site and its processes. The list of external hazards shall be as complete as possible. Justification shall be provided on its completeness and relevance to the site. The insights in this report confirm that safety related decision making should be made within a risk-informed context, encompassing deterministic, probabilistic and other information. Risk-informed decision making should consider the risk profile of the plants based on sets of PSA risk measures/metrics for L1 and L2, which are understood and presented as uncertainty distributions. These should be accompanied with sensitivity analyses demonstrating the influence of different important sources of uncertainty. Risk-informed decision making should consider always potential long-term consequences of accidental releases. Moreover, the decision making should take into account uncertainty assessments on safety margins, particularly those to known or suspected cliff-edge effects. In summary, the Fukushima Dai-ichi accident justifies the basic assumption of the ASAMPSA_E project of extending the scope of PSA to include all operating modes, all events and hazards, and all relevant potential sources like e.g. the spent fuel pool. It has to be acknowledged that extended PSA models, which cover all the scenarios and events recommended above, will require a lot of work on the development of efficient PSA methods, generation of (plant-specific) data, further research on such diverse areas as structural analysis, site screening, human reliability, geosciences, severe accident phenomena identification, and on the improvement of PSA models themselves. In this sense, the PSA community is facing a series of complex and difficult problems. The ASAMPSA_E project tackled the aforementioned issues during the project.”

D21.2 “List of external hazards to be considered in ASAMPSA_E”

The D21.2 report includes “an exhaustive list of external hazards posing potential threats to nuclear installations. The list comprises of both, natural and man-made external hazards. Also, a cross correlation matrix of the hazards is presented. The list is the starting point for the hazard analysis process in L1 PSA as outlined by IAEA (2010; SSG-3) and the definition of design basis as required by WENRA (2014; Reference Levels for Existing Reactors).The list is regarded comprehensive by including all types of hazards that were previously cited in documents by IAEA and WENRA-RHWG. 73 natural hazards (N1 to N73) and 24 man-made external hazards (M1 to M24) are included. Natural hazards are grouped into seismotectonic hazards, flooding and hydrological hazards, extreme values of meteorological phenomena, rare meteorological phenomena, biological hazards / infestation, geological hazards, and forest fire. The list of external man-made hazards includes industry accidents, military accidents, transportation accidents, pipeline accidents and other man-made external events.The dataset further contains information on hazard correlations. 577 correlations between individual hazards are identified and shown in a cross-correlation chart. Correlations discriminate between: (1) Causally connected hazards (cause-effect relation) where one hazard (e.g., liquefaction) may be caused by another hazard (e.g., earthquake); or where one hazard (e.g., high wind) is a prerequisite for a correlated hazard (e.g., storm surge).”

The report provides an overview of the considerations in the ASAMPSA_E project for extended PSA applications and decision-making.It appears that screening methodology is an area where harmonization of practices is possible. Concerning risk metrics, safety objectives formulation, verification (with PSA) the defence-in-depth concept, many differences can exist depending on the countries or stakeholders.

There are also limitations in the state-of-art technology and knowledge to develop extended PSA, but when examining the PSA applications at a general level for NPPs safety improvements, development of extended PSA, as far as possible, is expected to improve the quality of PSA applications and of risk informed decision making.

D30.7 vol 2 “Methodology for selecting initiating events and hazards for consideration in an extended PSA”

An extended PSA shall take into account all operating states for each main source and all possible relevant accident initiating events (both internal and external) affecting one unit or the whole site. The combination between hazards or initiating events and their impact on a unit or the whole site is a crucial issue. The D30.7 vol2 report tries to discuss relevant methodologies for this purpose. “The report proposes a methodology to select initiating events and hazards for the development of an extended PSA. The proposed methodology for initiating events identification, screening and bounding analysis for an extended PSA consists of four major steps:(1) a comprehensive identification of events and hazards and their respective combinations applicable to the plant and site; qualitative screening criteria will be applied,(2) the calculation of initial (possibly conservative) frequency claims for events and hazards and their respective combinations applicable to the plant and the site; quantitative screening criteria will be applied,(3) an impact analysis and bounding assessment for all applicable events and scenarios; events are either screened out from further more detailed analysis, or are assigned to a bounding event (group), or are retained for detailed analysis,(4) the probabilistic analysis of all retained (bounding) events at the appropriate level of detail.”

D30.7 vol 3 “Risk metrics for extended PSA”

“This report provides a review of the main used risk measures for L1 and L2 PSA. It depicts their advantages, limitations and disadvantages and develops some more precise risk measures relevant for extended PSAs and helpful for decision-making [...].The general approach for decision making, aims at a multi-attribute decision making approach. This can include the use of several risk measures as appropriate [...]. There is not necessarily a need to aggregate all different risk measures into one overall risk measure. Nonetheless, the issue of suitable risk measures for aggregating risk from similar risk measures (e.g. L2 PSA release categories) is relevant for decision-making and comparison [...]. Section 5 provides some recommendations on risk metrics to be used for an extended PSA. For L1 PSA, Fuel Damage Frequency and Radionuclide Mobilization Frequency are recommended. For L2 PSA, the characterization of loss of containment function and a total risk measure based on the aggregated activity releases of all sequences rated by their frequencies is proposed.”

“This report is dedicated to the investigation of the link between the Probabilistic Safety Assessment (PSA) and the Defence-in-Depth (DiD) concept for Nuclear Power Plant (NPP). The discussion is mainly focused on the capability of an “extended PSA” to support the assessment of DiD. The concepts of DiD and PSA have been developed independently in the history of NPP safety. If appropriately developed, the PSA can provide essential contributions for determining whether the safety objectives are met, the DiD requirements are correctly taken into account, the risk related to the installation is As Low As Reasonably Achievable, and a graded approach to safety is adopted. Moreover, the PSA has the potential to provide insights and results for the assessment of DiD, e.g.: on the independence among DiD levels, on the reliability to be required to provisions, on the modelling of immaterial provisions (e.g. human factor), on the propagation of uncertainty, on the “practical elimination” of events which could lead to early or large releases.The ability of the PSA to reflect the DiD concept (always true in theory) and its potential to provide information complementing the deterministic assessment of DiD are recognized and unquestionable. On the other hand, the use of PSA and its results for the assessments of DiD introduces specific challenges only partially investigated during the ASAMPSA_E project. Among them, the existing PSA models have been often produced without the specific objective to assess the implementation of DiD. If the PSA is used with this particular objective, its results should be presented and exploited in such a way that the contribution of each level of DiD to the overall safety can be checked and potential weaknesses identified. This change of structure of the PSA model could require a significant effort and there is still no clear consensus if the added value justifies it. Furthermore, in spite of the said complementarity, the independent implementation of the DiD concept and development of PSA, together with their native diversity, has been recognized as a benefit to maintain. As general recommendation, both DiD and PSA should be developed and their contributions optimized. In order to enhance their complementarity, the optimization to be searched should maintain a degree of independence in their execution and meantime integrate their “needs” (of data and models) and results, for an exhaustive assessment of the safety architecture based on both deterministic and probabilistic insights.This report provides elements to feed the thoughts about the optimization between the contributions of DiD and PSA to guarantee the safety of the nuclear installation, but further discussion and practical experiences (e.g. benchmarking) are needed to achieve consensus on objectives, scope and approaches for the use of PSA in the assessment of DiD concept and to develop a practical guideline.”

This report has been proposed by NIER to support the development of the deliverable D30.7 vol 4 (PSA and DiD) of the ASAMPSA_E project. It has not been reviewed by the ASAMPSA_E partners and some issues may need to be discussed further. It has nevertheless been discussed during the final ASAMPSA_E workshop (Vienna, sept. 2017). “This report concerns the peculiar roles of the Defence-in-Depth (DiD) concept and the Probabilistic Safety Assessment (PSA) approach for the optimization of the safety performances of the nuclear installation. It proposes a conceptual framework and related process for the assessment of the “safety architecture” implementing DiD, which is articulated in four main steps devoted to (1) the formulation of the safety objectives, (2) the identification of loads and environmental conditions, (3) the representation of the safety architecture and (4) the evaluation of the physical performance and reliability of the levels of DiD. A final additional step achieves the practical assessment of the safety architecture and the corresponding DiD with the support of the PSA. The comprehensive safety assessment of the implemented architecture needs its multi-dimensional representation, i.e. for given initiating event, sequence of possible failures, affected safety function and level of DiD. The risk space (frequency/probability of occurrence, versus consequences) is the framework for the integration between the DiD concept and the PSA approach. Additional qualitative key-notions are introduced in order to address the compliance of the safety architecture with a number of international safety requirements. In this context, the role of the PSA is no longer limited to the verification of the fulfilment of probabilistic targets but includes different contributions to the assessment of the DiD identified in this report.”

322 - EXTERNAL HAZARDS AND PSA

Following the recommendations from the first ASAMPSA_E PSA End-Users survey and the international workshop in Uppsala (Sweden), some guidance reports have been developed on earthquake, flooding, extreme weather (extreme wind, extreme temperature and snow pack), lightning, biological hazards, man-made hazards and aircraft crash.

Each report includes discussions on the following issues, with variant depending on the topic:- how to structure a L1 PSA for the external hazards,- which information are needed from geosciences (if relevant) in terms of hazards modelling and how to build relevant modelling for PSA,- which correlated hazards can be considered and how to model them,- how to define and model the impact of each hazards on SSCs with distinction between the protective structures and devices and the effect of protection failures on other SSCs,- how to identify and model the common cause failures in one reactor or between several reactors,- how to apply HRA methodology for the hazard,- how to credit additional emergency response (post-Fukushima measures like mobile equipment),- how to address the specific issues of L2 PSA,- how to perform and present risk quantification (including choice between separate PSA model or an integrated model (with other initiating events)).

323 – PSA AND SEVERE ACCIDENT MANAGEMENT

Before introducing the ASAMPSA_E outcomes on severe accident management, it is important to remind the result of the previous ASAMPSA2 project.

“The objective of the ASAMPSA2 project was to develop best practice guidelines for the performance and application of Level 2 probabilistic safety assessment (L2 PSA), for internal initiating events, with a view to achieve harmonisation at EU level and to allow a meaningful and practical uncertainty evaluation in a L2 PSA. The project has been supported and funded by the European Commission in the 7th Framework Programme [...].

The recommendations formulated in these 3 volumes are intended to support L2 PSA developers in achieving high quality studies and focussing time and resources on the factors that are most important for safety.

L2 PSA reviewers are another target group that will benefit from the state-of-the art information provided.

This first version of the guidelines is more a set of acceptable existing solutions to perform a L2 PSA than a precise step-by-step procedure to perform a L2 PSA. One important quality of this document is that it has been judged acceptable by organizations having different responsibilities in the nuclear safety activities (utilities, safety authorities or associated TSO, research organization, designer, nuclear service company ...).Hopefully it can contribute to the harmonization of the quality of risk assessments.

Most activities related to the development of the guidelines were performed before the Fukushima Dai-ichi accident. All lessons from the Fukushima Dai-ichi accident, in a severe accident risk analysis perspective, could not be developed in detail in this version of the ASAMPSA2 guidelines.”

Some complementary guidance reports for the assessment of severe accident risks induced by extreme events have been developed in the ASAMPSA_E project and are summarized hereafter.

“The objective of the present document is to provide guidance on the implementation of external events into an “extended” L2 PSA. It has to be noted that L2 PSA addresses issues beginning with fuel degradation and ending with the release of radionuclides into the environment. Therefore, the present document may touch upon, but does not evaluate explicitly issues that involve events or phenomena which occur before the fuel begins to degrade.Following the accident at Fukushima Dai-ichi, the nuclear safety community has realized that much attention should be given to the areas of operator interventions and accidents that may develop at the same time in more than one unit if they are initiated by one or more common external events. For this reason and to fulfill the PSA end-users’ wish list (as reflected by an ASAMPSA_E survey), the attention is mostly focused on interface between L1 and L2 PSA, fragility analysis, human response analysis and some consideration is given to L2 PSA modeling of severe accidents for multiple unit sites, even though it is premature to provide extensive guidance in this area. The following recommendations, mentioned in various sections within this document, are summarized here:1. Vulnerability/fragility analyses should be performed with respect to all external hazards and all structures, systems and components potentially affected that could be relevant to L2 PSA,2. Importance should be given to the assessment of human performance following extreme external events; for extreme circumstances with high stress level, low confidence is justified for SAM human interventions and for such conditions, human interventions could be analyzed as sensitivity cases only in L2 PSA,3. Results presentation should include assessment of total risk measures compared with risk targets able to assess all contributions to the risk and to judge properly the safety (see document D30.7 vol3 for recommendations on PSA results presentation),4. Total risk measures shall be associated to appropriate information on all uncertainties, simplifications and conservatisms that appear today to be inherent to any extended PSA,5. Because NPPs on multi-units sites are in general not fully independent, verification and reassessment of current single PSAs is needed before developing multi-units PSA.Because established methodologies for multi-unit sites L1-L2 PSA analysis are not yet available (even if multi-unit sites L1-L2 PSA analysis are now on-going in some countries), it is recommended to use first a simplified method. The boundary between L1 and L2 PSA shall be defined appropriately and some relevant adaptations/simplifications in both L1 and L2 PSA may be considered (in a first step) to limit the complexity of the multi-unit sites L1-L2 PSA development.”

“For each NPP, severe accident management (SAM) strategies shall make use of components or systems and human resources to limit as far as possible the consequences of any severe accident on-site and off-site. L2 PSA is one of the tools that can be used to verify and improve these strategies.The D40.7 vol 3 report provides an opportunity for a comparison of objectives in the different countries in terms of SAM strategies verification and improvement. The report summarizes also experience of each partner (including potential deficiencies) involved in this activity, in order to derive some good practices and required progress, addressing:- SAM modeling in L2 PSA,- Positive and negative aspects in current SAM practices,- Discussion on possible criteria related to L2 PSA for verification and improvement: risk reduction (in relation with WP30 activities on risk metrics), reduction of uncertainties on the severe accident progression paths until NPP stabilization, reduction of human failure conditional probabilities (depending on the SAM strategy, the environmental conditions ...), - Review with a perspective of verification and improvement of the main SAM strategies (corium cooling, RCS depressurization, control of flammable gases, reactivity control, containment function, containment pressure control, limitation of radioactive releases, ...),- SAM strategies to be considered in the context of an extended L2 PSA (as far possible, depending on existing experience), taking into account all operating modes, accidents also occurring in the spent fuel pools (SFPs) and long term and multi-unit accidents.

The deliverable D40.7 vol3 is developed from the partners’ experience. Many of the topics described here are beyond the common practices of L2 PSA applications: in some countries, L2 PSA application is limited to the calculations of frequencies of release categories with no formal requirement for SAM verification and improvement.”

“This report can be considered as an addendum to the existing ASAMPSA2 guidance for L2 PSA. It provides complementary guidance for L2 PSA for accident in the NPP shutdown states and on spent fuel pool and comments on the importance of these accidents on nuclear safety. It includes also information on recent research and development useful for L2 PSA developments.

The conclusions of the ASAMPSA_E end-users survey and of technical meetings of WP10, WP21, WP22, and WP30 at Vienna University in September 2014 which are relevant L2 PSA have been reflected and are taken into account as much as it is possible with the current status of knowledge.

For L2 PSA in shutdown states, two plant conditions are to be distinguished:- accident sequences with RPV head closed,- accident sequences with RPV head open.

When the RPV head is closed, core melt accident phenomena are very similar to the sequences going on in full power mode. Therefore, the large body of guidance which is available for full power mode is basically applicable to shutdown mode with RPV closed as well. When the RPV is open, some of the L2 PSA issues become irrelevant compared to full power mode, while others come into existence. The situation is different for aspects which do not exist or which are less pronounced in sequences with RPV closed.

The report also covers containment issues in shutdown states and discusses the applicability of existing guidance, potential gaps and deficiencies and recommendations are provided.

For spent fuel pool accidents in L2 PSA, a set of issues is identified and addressed. If the spent fuel pool is located inside the containment, the potential release paths to the environment are almost the same as for core melt accidents in the RPV. If the spent fuel pool is located outside the containment, the potential release paths to the environment depend very much on plant specific properties, e.g. ventilation systems, building doors, roof under thermal impact, size of rooms on the path etc. In any case the impact of very hot gas and of hydrogen has to be considered. The dependencies between reactor accident and SFP management appear to be an important issue for L2 PSA risk assessment.

The report provides information on ongoing R&D activities which may support the preparation of guidelines for “traditional” and extended L2 PSA. In addition, a list is provided for those topics which seem to have inadequate covering in present activities.

The development of PSA for multi-units site was an important topic for the ASAMPSA_E project. Some considerations have been included in each of the reports described above.

The following paper, prepared for ESREL 2017, is a tentative of summary of ASAMPSA_E considerations on this issue : ESREL2017 “Objectives, challenges and development of multi-unit PSA – considerations from the ASAMPSA_E project” E. Raimond (IRSN), M. Kumar (LRC), H. Loeffler, A. Wielenberg (GRS)

33 – ASAMPSA_E PHASE 3: EXTERNAL PEER REVIEW

The previous reports, in draft version, have been submitted to a peer review during the summer 2016 with a survey questionnaire. The answers were discussed during an international workshop organized in Vienna University 12-14 September 2016. The conclusions of the workshop and a synthesis of the survey for each ASAMPSA_E report are available in:

D10.3 - Synthesis report of the End-Users survey and review of ASAMPSA_E guidance and final workshop conclusions. Identification of follow-up useful activities after ASAMPSA_E

This report includes a general evaluation and some proposal for follow-up activities:

“Most of active End-users consider that overall documentary structure is suitable and intend to use the project deliverables. However, some End-users comments underline that reports could be considered as state-of-the-art review rather than guidance for industrial applications. Answers also highlight that some End-users expectations have not been treated or with an unsufficient level of details; the most often mentioned issues are the following: methodology for simultaneous accident progression in core and SFP, the level of conservatism (same level in all PSA parts ...?), how to include mobile equipment in PSA, how and when “seasonal PSA (winter/summer)” must be developed? It might be interesting to address these issues in future activities.In addition to issues identified in previous paragraphs, respondents have also mentioned the following areas for follow-up activities: treatment of uncertainties for combination of external hazards, rare events; methodologies for multi-unit sites L1-L2 PSA; modelling long-lasting accident progression; PSA for internal hazard, mainly fire; HRA issues; assessment of releases into waters and ground and related source term characteristics; risk aggregation; risk-informed decision process and PSA model capability; best practice to use PSA, interpret and present the results; PSA modelling for DiD assessments. In the event of a new proposal, respondents would be interested to participate again. “More precisely, the Vienna workshop participants have concluded that the following issues could be part of further collaborative research activities:(1) Comparison of risk metrics applications at international level.(2) Available methodologies to demonstrate that DiD is appropriately implemented.(3) RIDM and extended PSA will need further exchanges of information at international level.(4) A project of method for hazards combination modelling could be built for some specific examples (extreme weather correlated events seem to be a good candidate).(5) Benchmark on the importance of non-safety system and secondary impacts in external hazards assessment.(6) Aftershocks modelling (probabilities of occurrence, amplitude ...)(7) Application of fault rupture modelling for PSA.(8) Specific method to calculate the probability of fire induced by earthquakes.(9) Multi unit issues(10) Combination of hazards assessment and modelling(11) Uncertainties in the assessment of flooding event frequency for the different causes(12) Assessment of SSCs fragilities for flooding (e.g.: water propagation modelling).(13) Applicable methodologies to predict extreme weather conditions obviously need further research activities, especially on combined extreme weather events,(14) Considering the slow progress in this area and the limited reliability of data for PSA, PSA cannot be a recommended approach and alternative approach shall be preferred for risk identification and management. This may need some further clarification.(15) Organize a benchmark on existing PSA with regard to LUHS (loss of ultimate heat sink): risk quantification and UHS design comparison (with back fitting examples).(16) In relation with PSA activities (or RIDM) discuss calibration of lightning protections and compare protections solution in different area (data server -e.g. google, military applications, communication devices, airplane traffic,...).(17) It appears that a limited experience in external initiating events L2 PSA exists. This topic shall be considered later for international cooperative actions.(18) Practices exchanges on SA qualification: which environmental conditions shall be defined,(19) Implementation of FLEX strategy and link with L2 PSA(20) Dry spent fuel storage risk assessment.(21) Which conditions allow SFP stabilization in case of accident?

Potential Impact:

4 – ASAMPSA_E POTENTIAL IMPACTS, MAIN DISSEMINATION ACTIVITIES AND EXPLOITATION OF THE RESULTS

41 – PROJECT COMMUNICATION

Communications (papers, presentations) were done to promote the project results in the nuclear PSA community or generally speaking in the risk assessment international community. Many times, the ASAMPSA_E project was invited by the event organizers. For example, communications were done at an ARCADIA project workshop (2014), at the EGU (European geoscience Union) conference in 2015 (EGU 2015), at the ESREL 2015 conference, at the NENE 2016 conference, at the NUCLEAR 2016 conference, at the annual OCDE/NEA CSNI-WG-Risk meetings (2013,2014,2015,2016,2017), PSAM13 conference (2017), at the ESREL 2017 conference, in the Disaster Risk Management Knowledge Centre (DRMKC) report 2017 or at an IAEA, workshop on multi-units PSA (2016).

A public web site is available since the beginning of the project, and some project summaries are available on EU (CORDIS, EUROPA), partners or NUGENIA websites.Some information on the ASAMPSA_E project has been provided by each partner to its contacts involved in PSA development and application.

42 – POTENTIAL IMPACT

The ASAMPSA_E was intended to promote and help the development of high quality complete PSA for NPPs in Europe. This task is now on-going in many countries and a clear tendency is to extend the scope of existing PSA. The ASAMPSA_E guidance reports can be applied as starting point for many issues. The project results can also be used for the development of national of international standards (by IAEA for example).

Number of PSA teams’ representatives showed interest for the ASAMPSA_E project during its development. This project, with open results, was quite unique in terms of diversity of topics examined during a rather limited time period.

The End-Users survey concluded that “reports could be considered as state-of-the-art review rather than guidance for industrial applications”. This is obviously a limit for such a research project. The same remark was also done for the previous ASAMPSA2 project. Nevertheless, guidance for industrial application should be developed by industry itself and shall be specific to each context. Promoting a single solution would not be accepted by the PSA international community if there is a diversity of available technical solutions.

Hopefully the ASAMPSA_E project will have a significant contribution to the development, in all countries having NPPs, of high quality PSAs, as complete as possible, and to some NPPs reinforcements if weaknesses are identified through these developments.